[jboss-jira] [JBoss JIRA] Resolved: (JBWEB-134) AuthenticatorBase calls hasResourcePermission when authentication not performed
Remy Maucherat (JIRA)
jira-events at lists.jboss.org
Tue Feb 17 09:13:47 EST 2009
[ https://jira.jboss.org/jira/browse/JBWEB-134?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Remy Maucherat resolved JBWEB-134.
----------------------------------
Resolution: Rejected
This is wrong. If a constraint does not need auth to be resolved, this does not mean access will be granted (for starters, it could be a constraint to deny all). Of course, it is not so useful at first glance that this is passed to the realm for resolution (done in RealmBase.hasResourcePermission), but that's how it works (which could be because it would be legal to base an access decision on other parameters that the principal, dependeing on the realm, maybe a cookie submitted or something) and your realm should handle that.
> AuthenticatorBase calls hasResourcePermission when authentication not performed
> -------------------------------------------------------------------------------
>
> Key: JBWEB-134
> URL: https://jira.jboss.org/jira/browse/JBWEB-134
> Project: JBoss Web
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Tomcat
> Affects Versions: JBossWeb-2.1.1.GA
> Reporter: Anil Saldhana
> Assignee: Remy Maucherat
> Priority: Critical
>
> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java?annotate=729652
> Line 507. The check to hasResourcePermissionCheck should not happen if the local variable authRequired is false.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list